Ubuntu forums back online after attack analysis reveals XSS tactic

The compromise of an individual account and configuration settings led to the recent issue with the Ubuntu forums.

According to a blog post, the Linux user forum is back up and running after an attacker accessed a moderator account and post announcements and private messages to three forum administrators.

The attacker claimed that there was a server error on the announcement page, asked the other administrator to look and was subsequently compromised also.

It said: “We believe the attacker added an cross-site scripting attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker. Once the attacker gained administrator access in the forums, they were able to add a hook through the administrator control panel.

“Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the ‘user' table to a file on disk which they then downloaded.”

Ubuntu determined that the attacker had full access to the vBulletin environment as an administrator and shell access as the ‘www-data' user on the Forums app servers. This access was used to download the ‘user' table which contained usernames, email addresses and salted and hashed (using md5) passwords for 1.82 million users.

However it does not know how the attacker gained access to the moderator account used to start the attack, or what cross-site scripting attack was used as the announcement the attacker posted was deleted by one of the Forum administrators.

In response, it has contacted users to change passwords, wiped and rebuilt servers and manually imported data into a fresh database after sanity checking each table.

It has also switched the forums to use Ubuntu single sign-on for user authentication, implemented automated expiry of inactive moderator and administrator accounts, reviewed and further hardened the firewalling around the Forums servers and switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else.

“There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings,” it said.

“We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. Finally, we'd like once again to apologize for the security breach, the data leak and downtime.”

At the time of reporting the attack, Ubuntu said that the forums had been down due to maintenance and confirmed that attackers had gained every user's local username, password and email address from the Ubuntu Forums database.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.